Net-SNMP and snmpd Coexistence on OpenBSD

Although it would be awesome to ditch Net-SNMP altogether now that the base OpenBSD SNMP daemon has support for all of the OpenBSD-related MIBS (CARP, PF, kernel sensors), reality is that Net-SNMP still offers some features that are needed. OpenBSD doesn’t have any SNMP tools (snmpwalk, snmpset, etc) so these are still required from Net-SNMP. There’s also some unique features in the Net-SNMP daemon that are still useful if you want to do things like monitor BIND9 or Postfix statistics.

Here’s how to run both at the same time and leverage snmpd for the OpenBSD-related MIBs and the Net-SNMP daemon for its ability to retrieve data from scripts and extend itself using loadable modules and smux sub-agents.

One of the unique features of the Net-SNMP daemon is its ability to proxy SNMP requests and forward them to another agent. By using this feature, queries for OpenBSD-related OIDs can be proxied through to the OpenBSD snmpd and Net-SNMP can handle the rest.

The settings for Net-SNMP are configured in /etc/snmp/snmpd.conf and should look like this:

proxy -v2c -c public 127.0.0.1:161 .1.3.6.1.4.1.30155
agentaddress 172.16.0.3:161

The proxy setting takes the same basic arguments as snmpwalk(1), snmpset(1), etc. You should explicitly set the SNMP version and community string as these are not passed through from the original SNMP query. This community string is used when querying the OpenBSD snmpd so make sure it matches with how snmpd has been configured (see below). The IP and port are where the OpenBSD snmpd is listening and the OID string is where all the OpenBSD-related MIBs are rooted at. Net-SNMP will proxy any requests for children of this OID to the OpenBSD snmpd.

The agent must be manually bound to a specific IP (as opposed to the default of “all IPs on the machine”) using the agentaddress setting because of the second listener on 127.0.0.1. You can’t have one listener on a specific IP and the other on “all IPs” for the same port.

I know what you’re thinking: put snmpd on a port other than 161. As of this writing, you cannot configure the listening port in the OpenBSD snmpd, only the listening IP address.

The configuration for OpenBSD’s snmpd is done in /etc/snmpd.conf and should look like this:

listen on 127.0.0.1
read-only community public

This is enough to allow Net-SNMP to query snmpd. Other options may be present in your snmpd.conf but these two are the only ones related to the coexistence with Net-SNMP.

Note: If you send traps from the OpenBSD snmpd, you can still set “listen on” to 127.0.0.1. Trap PDUs will be sourced from the outgoing interface IP address.

With the settings above, Net-SNMP will still handle queries for standard MIBs such as HOST-RESOURCES-MIB. These too can be proxied through to OpenBSD snmpd by using the OIDs below.

MIB

Base OID

HOST-RESOURCES-MIB .1.3.6.1.2.1.25
IF-MIB .1.3.6.1.2.1.2
IP-MIB .1.3.6.1.2.1.4
SNMPv2-MIB .1.3.6.1.2.1.1
BRIDGE-MIB .1.3.6.1.2.1.17

Please post a comment if you are one of the people who needs to keep the Net-SNMP daemon around. It’d be great to build up the features in the OpenBSD snmpd so we can one day eliminate the need for Net-SNMP.

6 thoughts on “Net-SNMP and snmpd Coexistence on OpenBSD”

  1. What would be great is to implement AgentX support into OpenBSD snmpd. This way, the most interesting modules of NetSNMP snmpd could be transformed into a subagent and attached to OpenBSD snmpd which would then handle incoming requests from external managers.

  2. It would be nice to proxy in the reverse way world to openbsd snmpd to net-snmp as it would allows to benefit from the normally better security of snmpd (privsep, code audit, …)

    1. Yeah I’ve thought that too. It would take someone with a vested interest in seeing that feature to code it up. I don’t see any of the regular snmpd hackers doing it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Would you like to subscribe to email notification of new comments? You can also subscribe without commenting.